Security Engineer II

About The Position

Requirements

• Experience developing/reviewing system authorization documentation (family plans and supplementary artifacts) in accordance with Department of War (DoW) implementation of the Risk Management Framework (RMF)
• Experience participating in Technical Interchange Meetings (TIMs) on a wide range of Program Management Office (PMO) security engineering topics
• Experience participating in acquisition program engineering milestone reviews
• Experience coordinating and collaborating with Development contract personnel in Security, System Administration, System Engineering, and other supporting roles to identify, document, and plan for security enhancement requirements and to resolve program security issues
• Experience coordinating and collaborating with inheritance providers (e.g., enterprise teams in USTRANSCOM, Surface Deployment and Distribution Command [SDDC], Air Mobility Command [AMC], Defense Information Systems Agency [DISA] Security Office, etc.) to determine hybrid security requirements and established appropriate inheritance relationships using tools provided
• Experience performing security activities to maintain authorization of PMO programs (e.g., categorization, control selection, evidence collection and audit, risk assessments, reporting, security impact assessments affiliated with change management practices, Incident Response (IR)/Contingency Plan (CP) Exercise Support, Federal Information Security Management Act (FISMA) Reporting, Continuous Monitoring, etc.)
• Experience using DoW Enterprise Mission Assurance Support Service (eMASS) system
• Experience providing support to ensure PMO systems are designed, developed, and deployed in accordance with applicable Executive Orders, Federal Policy, DoW regulations, USTRANSCOM requirements, and commercial best practice
• Experience reviewing vulnerability scans using Assured Compliance Assessment Solution (ACAS)/Nessus, analyzing outputs to identify vulnerabilities, recommending mitigation and remediation actions, ingest actions in eMASS
• Experience supporting the Government Customer through critical review of documented DISA STIGs/SRGs, providing technical feedback and recommendations to customer for areas of improvement in reporting accurate qualitative results, and ingesting final product in the government-supplied tool to support risk assessment of the NIST controls.
• Experience generating, sustaining, extending (when appropriate), and reporting status associated with POA&M requirements
• Experience conducting and evaluating security testing activities including security assessments and audits
• Experience supporting operational security activities (e.g., risk mitigation, host security, encryption, intrusion detection, Virtual Private Network [VPN] implementations, and viral detections)
• Experience with security lockdown and/or hardening of servers and network devices
• Ability to coordinate overall security strategy with multiple agencies, Authorizing Official (AO) representatives
• Ability to coordinate with developers, vendors, and other government organizations/agencies to assess security engineering issues
• Experience recommending changes to network and security architecture to improve security posture and meet operational performance requirements
• Must be a US Citizen with an active DoW Secret, or higher, clearance
• Bachelor’s degree in Computer Science, Cybersecurity, or equivalent Information Technology academic studies
• Active IAM II Certification in Good Standing (e.g., ISC2 CGRC [formerly CAP], CompTIA Security X [formerly CASP+CE], ISACA CISM, ISC2 CISSP (or associate), GIAC GSLC, EC-Council CCISO)
• 1+ years of Security Engineering experience as Information Systems Security Officer (ISSO), Information Systems Security Manager (ISSM), Security Controls Assessor (SCA), Cyber Security Analyst/Engineer

Responsibilities

• Reviews evolving NIST requirements to support risk assessment activities associated with the affiliated system requirements and specifications (execution, mapping, and compliance tracking).
• Prepares detailed specifications from which cybersecurity deficiencies identified during risk assessment will be mitigated/remediated and conducts follow-up risk assessment to ensure proper secure coding practices and STIG/SRG implementation are being built-in/enforced to the greatest extent possible.
• Collaborates closely with government customers to develop appropriate POA&Ms and support risk acceptance activities as needed to support risk management processes.
• Reviews evolving National Institute of Standards and Technology (NIST) requirements to support risk assessment activities associated with the affiliated system requirements and specifications (execution, mapping, and compliance tracking).
• Prepares detailed specifications from which cybersecurity deficiencies identified during risk assessment will be mitigated/remediated and conducts follow-up risk assessment to ensure proper secure coding practices and Security Technical Implementation Guide (STIG)/Security Requirements Guide (SRG) implementation are being built-in/enforced to the greatest extent possible.
• Collaborate closely with government customers to develop appropriate Plan of Action and Milestones (POA&Ms) and support risk acceptance activities as needed to support risk management processes.
• Responsible for designing and implementing solutions for protecting confidentiality, integrity, and availability of sensitive information.
• Provides technical evaluations of IT systems and assists with making security improvements.
• Participates in design of information system contingency plans that maintain appropriate levels of protection and meet time requirements for minimizing operations impact to customer organization.
• Conducts security product evaluations, and recommends products, technologies and upgrades to improve the organization’s security posture.
• Conduct testing and audit log reviews to evaluate the effectiveness of current security measures.
• Participates in team initiatives including the drafting of deliverables and peer reviews of others’ products.